A recent editorial in "Computing" weekly called "Online security is a duty for us all" discussed new measures that banks are implementing against fraud:
The banks are taking a carrot approach, carefully avoiding the stick. But if new measures fail to halt the problem, the onus might shift to the consumer. Banks may one day only indemnify customers against fraud if they have the necessary precautions in place - from suitably secured home PCs to two- or even three-factor authentication tools such as biometrics.That could lead us down a rocky road - a banking community divided by technical ability and personal security. Would the days of better interest rates for more secure customers be far behind?
This is not an option that anybody - banks or their customers - would want to consider.
Why on earth not? It sounds like an excellent idea to me. One reason people don't pay too much attention to the security of their PCs at the moment is that don't have that much obvious incentive to do so. If their bank said "turn on a firewall, use a secure browser and run regular spyware scans, and we'll give you an extra 2% on your savings", we might see quite a few more secure PCs.
Posted by gerv at June 11, 2005 12:01 AMHow would your bank know whether you perform the security measures or not without some sort of spyware?
No thanks.
Posted by: poynting at June 11, 2005 12:51 AMThey could automatically give the savings, but deduct it if the user reports any security problems. This is unlikely to happen, though, since the banks would probably lose a lot of money, and it would give their customers a disincentive to report security problems. It is probably more likely that banks will start charging security fees for people who fall for phishing scams and the like.
Posted by: Martey at June 11, 2005 1:33 AMWell either
1) it's based on honor and we know that many people have no sense of honor when it comes to money or
2) we have allow the bank to some how access our computer to see if the necessisary precautions are taking. Well, I for one, welcome our new pc-controlling banking overlords.
Also, I don't have a software firewall (I have a router), and I don't have an spyware scanner (I'm running linux), does the bank consider me a security threat.
Posted by: Alan Trick at June 11, 2005 1:46 AMBanks, eh? These same institutions which _still_ are often only supporting IE?
I wouldn't have much trust in them being capable of of drating any kind of reasonable guidelines for security which wouldn't severely limit progress.
"You MUST use Firefox 1.0.2 (higher versions not allowed) or MSIE 6.0 SP 2, a virusscanner by one of these three big (expensive) companies, and have windows update enabled," sounds about right.
After that, it'll be absolutely impossible to get regular users to ever switch to anything else, because it'll _cost them money_.
Bonuses for those that have security precautions in place might be nice, but that's "carrot" again, and as other comments point out, pretty much impossible to check on effectively, especially without invading privacy.
It'd have to work the other way around - 2% interest bonus for people using online banking, and you'd lose the bonus if you made a mistake with your security in whatever way. Same kind of thing as giving people interest free credit and then whacking them with penalties if they miss a deadline by a day or whatever, or giving insurance cheap to people that don't make claims - the result is an unfair system that ends up encouraging people to do things wrong to whatever extent they can get away with it.
The idea sounds good in principle, but I can't imagine any way that banks would implement it fairly.
Posted by: michaell at June 11, 2005 1:56 PMPah, why put the onus on the consumer when perfectly well suitable challenge/response systems are available? See: http://www.ubs.com/1/e/ebanking/internet/internet_security/requirements.html
And it works perfectly well with all modern browsers on all operating systems.
Posted by: tr at June 11, 2005 4:12 PMThe problem with their first requirement is that it requires users to go out an buy extra hardware - hardware that is only useful for that one thing, which costs extra money. And as far as I can tell there's nothing new in the rest of the page.
Posted by: Alan Trick at June 12, 2005 8:05 AMWhat a nice idea. Everyone has a smart card that uniquely identifies them and they muct use this card to access their bank accounts. You could put biometric data on it and personal details, next of kin etc. Of course you would always need to carry it if you ever wanted money - online or cashpoint....
Perfect.
Wait a minute.
Posted by: Chris (Lambert) at June 12, 2005 12:43 PMYou normally get the card and the reader for free with your account. If not it costs together with the reader something like 30$. And no, there's no biometrics in there and it only identifies yourself towards one bank. You know, for once I *want* my bank to have the possibility to identify me, no privacy concerns here.
You identify yourself with something you've got (the smartcard) and something you know (your pin) and the thing you've got can't just be copied like a sheet with numbers on it. It's a smart card with its own processor RSA/DSA unit, protection against phyiscal attacks etc. It's pretty damn secure.
Posted by: tr at June 13, 2005 8:04 AM